The sys-apps/man ebuilds call "chown -R" on the live root filesystem in pkg_postinst: pkg_postinst() { einfo "Forcing sane permissions onto ${ROOT}var/cache/man (Bug #40322)" chown -R root:man "${ROOT}"/var/cache/man chmod -R g+w "${ROOT}"/var/cache/man This can be exploited by anyone in the "man" group to gain root privileges. If a hard link is placed in /var/cache/man, then the next time sys-apps/man is upgraded or reinstalled, the "chown -R" will affect the target of the symlink, potentially making root-owned files writable by the "man" group. For example, 1. emerge sys-apps/man 2. su -s /bin/sh -c 'ln /etc/passwd /var/cache/man/x' man 3. emerge sys-apps/man 4. /etc/passwd is group-writable and root:man
Unrestricting and reassigning to security@ per bug #705894
unrestricting per bug 705894
Treecleaned a while ago. Very old bug so will go to noglsa. commit ce370f012e25ad2eb756cbcaf768bf053161d067 Author: Mike Gilbert <floppym@gentoo.org> Date: Sat Mar 7 16:54:44 2020 -0500 sys-apps/man: remove package Closes: https://bugs.gentoo.org/468428 Closes: https://bugs.gentoo.org/515534 Closes: https://bugs.gentoo.org/524588 Closes: https://bugs.gentoo.org/589738 Closes: https://bugs.gentoo.org/605352 Closes: https://bugs.gentoo.org/651038 Closes: https://bugs.gentoo.org/683494 Signed-off-by: Mike Gilbert <floppym@gentoo.org>